PEAP LDAP password problem

Alexey Eronko alexey.eronko at gmail.com
Tue Feb 26 08:30:29 CET 2008


Hello,

I have usual problem  for persons who wants to setup LDAP+PEAP integration.
I want to setup WIFI with PEAP auth. via FreeRadius.
The problem is that I can login with ldap login thought radtest testuser
123456 localhost 10 secret.
But I can't do the same thought my wifi laptop(ldap login) but I can login
on my laptop with local login (/etc/freeradius/users).

I found several suggestion according my situation but I can't solve the
problem.

Delete :DEFAULT        Auth-Type := LDAP
Add :
checkItem       User-Password                   userPassword
checkItem       userPassword                    lmPassword

It seems that is my direct ldap query don't have : User-Password = ""
Atribute.

log file
==================================

   rlm_realm: No '@' in User-Name = "username", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
    rlm_realm: No '\' in User-Name = "username", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 2
  rlm_eap: EAP packet type response id 3 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for username
radius_xlat:  '(&(uid=username)(objectClass=posixAccount))'
radius_xlat:  'dc=company,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=company,dc=com, with filter
(&(uid=username)(objectClass=posixAccount))
rlm_ldap: checking if remote access for username is allowed by uid
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user username authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 211 to 100.100.128.139 port 6001
        EAP-Message =
0x010402f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8
        EAP-Message =
0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e04160
41468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010
        EAP-Message =
0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x944b46983edee9d6374c638b077a98b0
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 100.100.128.139:6001, id=212,
length=347
        User-Name = "username"
        NAS-IP-Address = 100.100.128.139
        Called-Station-Id = "00-20-a6-64-66-a3:A"
        Calling-Station-Id = "00-18-de-4e-8f-1d"
        NAS-Identifier = "ORiNOCO-AP-700-64-66-a3"
        State = 0x944b46983edee9d6374c638b077a98b0
        Framed-MTU = 1400
        NAS-Port = 2
        NAS-Port-Type = Wireless-802.11
        EAP-Message =
0x020400c01980000000b616030100861000008200807d0aa8cba27d582c350fe812e3a13585488f0fd2dd93ad428
f2c412328332d3efe74a4a3ddd31f44aec192a4aafa6d96a78de561284fce538250b20fe110d972de06c41880703f3fe7326e4c5d44d1bb9d5dae51e5b05a5f7bd2e96ca9aa91ba2aaacaecc7f979d32ffd32857dcf70ef92b88a2ec2806593cd1888bbe61f6ece1403010001011603010020e1a93666bea97c8b068187f07c7a55b581fee2dc5f9b7ba1b8b920487c503178
        Message-Authenticator = 0xd7ccfc59fba379f1f22b2d86f284967f
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  modcall[authorize]: module "chap" returns noop for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
    rlm_realm: No '@' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 3
    rlm_realm: No '\' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 3
  rlm_eap: EAP packet type response id 4 length 192
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user
radius_xlat:  '(&(uid=user)(objectClass=posixAccount))'
radius_xlat:  'dc=company,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=company,dc=com, with filter
(&(uid=user)(objectClass=posixAccount))
rlm_ldap: checking if remote access for user is allowed by uid
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user username authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 3
modcall: leaving group authorize (returns updated) for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 212 to 100.100.128.139 port 6001
        EAP-Message =
0x0105003119001403010001011603010020fcb9a12ef0f4c6ee542c7448c19f2d0a90980fbeccc23732a37133106723dc53
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x9f545f6b44154fe7443c4c9b8503f14d
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 100.100.128.139:6001, id=213,
length=161
        User-Name = "user"
        NAS-IP-Address = 100.100.128.139
        Called-Station-Id = "00-20-a6-64-66-a3:A"
        Calling-Station-Id = "00-18-de-4e-8f-1d"
        NAS-Identifier = "ORiNOCO-AP-700-64-66-a3"
        State = 0x9f545f6b44154fe7443c4c9b8503f14d
        Framed-MTU = 1400
        NAS-Port = 2
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020500061900
        Message-Authenticator = 0xfb78e6a22ba9350c248c45488967f9e3
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: No '@' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
    rlm_realm: No '\' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 4
  rlm_eap: EAP packet type response id 5 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user
radius_xlat:  '(&(uid=user)(objectClass=posixAccount))'
radius_xlat:  'dc=company,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=company,dc=com, with filter
(&(uid=user)(objectClass=posixAccount))
rlm_ldap: checking if remote access for user is allowed by uid
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake is finished
  eaptls_verify returned 3
  eaptls_process returned 3
  rlm_eap_peap: EAPTLS_SUCCESS
  modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 213 to 100.100.128.139 port 6001
        EAP-Message =
0x010600201900170301001550a63ce907f8230086ea4cfe01fa4b04d285fa90fd
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0491782a026ef1c37d38229aa2a09fd2
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 100.100.128.139:6001, id=214,
length=189
        User-Name = "user"
        NAS-IP-Address = 100.100.128.139
        Called-Station-Id = "00-20-a6-64-66-a3:A"
        Calling-Station-Id = "00-18-de-4e-8f-1d"
        NAS-Identifier = "ORiNOCO-AP-700-64-66-a3"
        State = 0x0491782a026ef1c37d38229aa2a09fd2
        Framed-MTU = 1400
        NAS-Port = 2
        NAS-Port-Type = Wireless-802.11
        EAP-Message =
0x02060022190017030100170c1a8d4e36f76ec984c2802da6ffc5ba177ee6d24fa2b6
        Message-Authenticator = 0x2d07b6b5d35b4a8a62e04fee324d7d37
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  modcall[authorize]: module "chap" returns noop for request 5
  modcall[authorize]: module "mschap" returns noop for request 5
    rlm_realm: No '@' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 5
    rlm_realm: No '\' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 5
  rlm_eap: EAP packet type response id 6 length 34
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user
radius_xlat:  '(&(uid=user)(objectClass=posixAccount))'
radius_xlat:  'dc=company,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=company,dc=com, with filter
(&(uid=user)(objectClass=posixAccount))
rlm_ldap: checking if remote access for user is allowed by uid
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Identity - user
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Got tunneled EAP-Message
        EAP-Message = 0x0206000b0165726f6e6b6f
  PEAP: Got tunneled identity of user
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to user
  PEAP: Sending tunneled request
        EAP-Message = 0x0206000b0165726f6e6b6f
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "user"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  modcall[authorize]: module "chap" returns noop for request 5
  modcall[authorize]: module "mschap" returns noop for request 5
    rlm_realm: No '@' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 5
    rlm_realm: No '\' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 5
  rlm_eap: EAP packet type response id 6 length 11
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user
radius_xlat:  '(&(uid=user)(objectClass=posixAccount))'
radius_xlat:  'dc=company,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=company,dc=com, with filter
(&(uid=user)(objectClass=posixAccount))
rlm_ldap: checking if remote access for user is allowed by uid
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: EAP Identity
  rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
  modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
  PEAP: Got tunneled reply RADIUS code 11
        EAP-Message =
0x010700201a0107001b106ed1ec90bcd32cc73c262c2156f4e35b65726f6e6b6f
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe6b54da771c6c9951580aa2c13a974f1
  PEAP: Processing from tunneled session code 0x8014b458 11
        EAP-Message =
0x010700201a0107001b106ed1ec90bcd32cc73c262c2156f4e35b65726f6e6b6f
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe6b54da771c6c9951580aa2c13a974f1
  PEAP: Got tunneled Access-Challenge
  modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 214 to 100.100.128.139 port 6001
        EAP-Message =
0x010700371900170301002cf7b661ce86c13ad322a5ee1424937977095638f0df2a81f3fbf1edf93d3130ce91835ab86ea73ee239dc5de0
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x3bc371fff6daef9820ca18ec1a95d748
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 100.100.128.139:6001, id=215,
length=243
        User-Name = "user"
        NAS-IP-Address = 100.100.128.139
        Called-Station-Id = "00-20-a6-64-66-a3:A"
        Calling-Station-Id = "00-18-de-4e-8f-1d"
        NAS-Identifier = "ORiNOCO-AP-700-64-66-a3"
        State = 0x3bc371fff6daef9820ca18ec1a95d748
        Framed-MTU = 1400
        NAS-Port = 2
        NAS-Port-Type = Wireless-802.11
        EAP-Message =
0x020700581900170301004d60cb0ad1df28d5131e19ea9db9006aae8b2fab7987ddf7b12b0ef50d864f1b1a813ef2867eb0af3f119842d120c90c8713f1bc573de395d46e26d4b755c9a81b1c2
b725fb8c124cc009c7cb77a
        Message-Authenticator = 0x446d0653078e6318ed2fcab66426a52f
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
  modcall[authorize]: module "chap" returns noop for request 6
  modcall[authorize]: module "mschap" returns noop for request 6
    rlm_realm: No '@' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 6
    rlm_realm: No '\' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 6
  rlm_eap: EAP packet type response id 7 length 88
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user
radius_xlat:  '(&(uid=user)(objectClass=posixAccount))'
radius_xlat:  'dc=company,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=company,dc=com, with filter
(&(uid=user)(objectClass=posixAccount))
rlm_ldap: checking if remote access for user is allowed by uid
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Got tunneled EAP-Message
        EAP-Message =
0x020700411a0207003c31d882c1781c00f76d0e243209bf9bacbd00000000000000005e5fe71c20fb537939dabaa9e0a5e252eeb22bbc2cb884bc0065726f6e6b6f
  PEAP: Setting User-Name to user
  PEAP: Adding old state with e6 b5
  PEAP: Sending tunneled request
        EAP-Message =
0x020700411a0207003c31d882c1781c00f76d0e243209bf9bacbd00000000000000005e5fe71c20fb537939dabaa9e0a5e252eeb22bbc2cb884bc0065726f6e6b6f
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "user"
        State = 0xe6b54da771c6c9951580aa2c13a974f1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
  modcall[authorize]: module "chap" returns noop for request 6
  modcall[authorize]: module "mschap" returns noop for request 6
    rlm_realm: No '@' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 6
    rlm_realm: No '\' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 6
  rlm_eap: EAP packet type response id 7 length 65
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user
radius_xlat:  '(&(uid=user)(objectClass=posixAccount))'
radius_xlat:  'dc=company,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=company,dc=com, with filter
(&(uid=user)(objectClass=posixAccount))
rlm_ldap: checking if remote access for user is allowed by uid
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 6
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for user with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 6
modcall: leaving group authenticate (returns reject) for request 6
auth: Failed to validate the user.
  PEAP: Got tunneled reply RADIUS code 3
        MS-CHAP-Error = "\007E=691 R=1"
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
  PEAP: Processing from tunneled session code 0x8014e3d0 3
        MS-CHAP-Error = "\007E=691 R=1"
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
  modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
Sending Access-Challenge of id 215 to 100.100.128.139 port 6001
        EAP-Message =
0x010800261900170301001bb07f823ff790eaac7e023f39cdfa2c13c74448e9b40ce1b6c0335f
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x8b12accaa14d0c6f0c8e3d6d75bd953f
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 100.100.128.139:6001, id=216,
length=193
        User-Name = "user"
        NAS-IP-Address = 100.100.128.139
        Called-Station-Id = "00-20-a6-64-66-a3:A"
        Calling-Station-Id = "00-18-de-4e-8f-1d"
        NAS-Identifier = "ORiNOCO-AP-700-64-66-a3"
        State = 0x8b12accaa14d0c6f0c8e3d6d75bd953f
        Framed-MTU = 1400
        NAS-Port = 2
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020800261900170301001b45b602e
857c5b518dcbb213f9a82d53af11486f45a392431f4fc11
        Message-Authenticator = 0x4cbc5e10e73739446acfdbb116669e3a
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
  modcall[authorize]: module "preprocess" returns ok for request 7
  modcall[authorize]: module "chap" returns noop for request 7
  modcall[authorize]: module "mschap" returns noop for request 7
    rlm_realm: No '@' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 7
    rlm_realm: No '\' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 7
  rlm_eap: EAP packet type response id 8 length 38
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 7
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user
radius_xlat:  '(&(uid=user)(objectClass=posixAccount))'
radius_xlat:  'dc=company,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=company,dc=com, with filter
(&(uid=user)(objectClass=posixAccount))
rlm_ldap: checking if remote access for user is allowed by uid
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 7
modcall: leaving group authorize (returns updated) for request 7
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap:  Had sent TLV failure.  User was rejcted rejected earlier in
this session.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 7
modcall: leaving group authenticate (returns invalid) for request 7
auth: Failed to validate the user.
Delaying request 7 for 1 seconds
Finished request 7
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 100.100.128.139:6001, id=216,
length=193
Sending Access-Reject of id 216 to 100.100.128.139 port 6001
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1033, id=237, length=58
        User-Name = "user"
        User-Password = "password"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 10
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
  modcall[authorize]: module "preprocess" returns ok for request 8
  modcall[authorize]: module "chap" returns noop for request 8
  modcall[authorize]: module "mschap" returns noop for request 8
    rlm_realm: No '@' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 8
    rlm_realm: No '\' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 8
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 8
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user
radius_xlat:  '(&(uid=user)(objectClass=posixAccount))'
radius_xlat:  'dc=company,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=company,dc=com, with filter
(&(uid=user)(objectClass=posixAccount))
rlm_ldap: checking if remote access for useris allowed by uid
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user username authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 8
modcall: leaving group authorize (returns ok) for request 8
  rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 8
rlm_ldap: - authenticate
rlm_ldap: login attempt by "username" with password "password"
rlm_ldap: user DN: uid=username,ou=People,dc=company,dc=com
rlm_ldap: (re)connect to ldap1.company:389, authentication 1
rlm_ldap: setting TLS CACert File to /etc/cert/cert.pem
rlm_ldap: starting TLS
rlm_ldap: bind as uid=username,ou=People,dc=company,dc=com/password to
ldap1.in.company:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user username authenticated succesfully
  modcall[authenticate]: module "ldap" returns ok for request 8
modcall: leaving group LDAP (returns ok) for request 8
Sending Access-Accept of id 237 to 127.0.0.1 port 1033
Finished request 8
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 209 with timestamp 47c2cee7
Cleaning up request 1 ID 210 with timestamp 47c2cee7
Cleaning up request 2 ID 211 with timestamp 47c2cee7
Cleaning up request 3 ID 212 with timestamp 47c2cee7
Cleaning up request 4 ID 213 with timestamp 47c2cee7
Cleaning up request 5 ID 214 with timestamp 47c2cee7
Cleaning up request 6 ID 215 with timestamp 47c2cee7
Cleaning up request 7 ID 216 with timestamp 47c2cee7
Waking up in 5 seconds...


==================================

Thank you
Era
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080226/0dfea3ce/attachment.html>


More information about the Freeradius-Users mailing list